AC-7(1) — Automatic Account Lock

This enhancement makes the lockout automatic — the system must handle it without needing a human to intervene. When the threshold is hit, the account locks immediately.

Example 1: The same GPO settings from AC-7 handle this — Windows automatically locks the account after the configured number of failed attempts. Verify it is working by checking Event ID 4740 (account lockout) in the Security log on your domain controllers.

Example 2: On Linux, configure /etc/pam.d/common-auth (or system-auth) with the pam_tally2 or pam_faillock module: auth required pam_faillock.so deny=5 unlock_time=1800. This locks the account for 30 minutes after 5 failed attempts, and it happens automatically at the PAM level.